Bluetooth: Fix potential bad memory access with sysfs files

When creating a high number of Bluetooth sockets (L2CAP, SCO
and RFCOMM) it is possible to scribble repeatedly on arbitrary
pages of memory. Ensure that the content of these sysfs files is
always less than one page. Even if this means truncating. The
files in question are scheduled to be moved over to debugfs in
the future anyway.

Based on initial patches from Neil Brown and Linus Torvalds

Reported-by: Neil Brown <neilb@suse.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

1 files changed, 10 insertions, 1 deletions

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index f93b939539b..967a75175c6 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -960,13 +960,22 @@ static ssize_t sco_sysfs_show(struct class *dev,
         struct sock *sk;
         struct hlist_node *node;
         char *str = buf;
+        int size = PAGE_SIZE;
 
         read_lock_bh(&sco_sk_list.lock);
 
         sk_for_each(sk, node, &sco_sk_list.head) {
-                str += sprintf(str, "%s %s %d\n",
+                int len;
+
+                len = snprintf(str, size, "%s %s %d\n",
                                 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
                                 sk->sk_state);
+
+                size -= len;
+                if (size <= 0)
+                        break;
+
+                str += len;
         }
 
         read_unlock_bh(&sco_sk_list.lock);